tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: NetBSD IP security in practice

Edgar Fuß <> writes:

>> The other issue is that I am not clear on if there is adequate support
>> dynamic-remote-peer VPN (road warrior type, vs site-site), which often
>> involves provisioning a private/internal address for the remote host to
>> use inside a tunnel.
> I thought that was exactly the point the L2TP-over-IPsec-Matroshka was
> good for: you can't use tunnel mode when you don't have a local IP to
> tunnel.
> Or is there a more intelligent way than
> PPP-over-L2TP-over-UDP-over-IPsec-over-IP-over-whatever?

There is a way to do the equivalent of DHCP using IKE as the control
protocol.  So you have a RFC1918 address behind some NAT, do IPsec with
NAT-T to get to the VPN gateway, and then get a perhaps-public
inside-enterprise-firewall address over the IKE control connection, and
then configure that somehow and use it for packets that are heading into
the tunnel.

I have seen this work with a proprietary VPN implementation on a
proprietary OS.  I've never tried to do it with NetBSD.

Attachment: pgpUgbqQpBgw2.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index